Take5 (Episode #2) – Five Questions for Marcus Ranum

First a little background on the victim, Marcus Ranum, in his own words:

I don’t know how to describe myself, anymore. At this point I have held every job you can hold in the security industry – from system administrator to coder, engineering team leader, product manager, product marketing, CSO, CTO, and CEO, industry analyst, teacher, and consultant. If I got to choose which of those I’d rather you thought of me as, it’d be teacher.

Back in the early 90s I did a lot with developing firewalls, and designed and coded the DEC SEAL and TIS Firewall Toolkit – both of which were pretty popular and ground-breaking in their time. I also founded one of the early IDS start-ups, Network Flight Recorder (recently bought by Checkpoint) and served as CEO there for 4 years.Today, I am the CSO of Tenable Network Security – the company that produces a the Nessus vulnerability scanner and a suite of security management tools. I live in the wilds of Pennsylvania with 2 huge dogs, 2 horses, and about 18 cats, and spend my spare time doing photography, farming, and too much other stuff to list.

1. Let’s get this out of the way first…The Security Industry vs. Marcus Ranum…Why so grumpy or are you just misunderstood?

I don’t understand! Does the security industry disagree with me? What, are they, stupid?

Just kidding. I’m grumpy – and justifiably so – because, like many security people, I’ve noticed that if you work really hard to organize your thinking about security so that it becomes clear – your good advice will be completely ignored anyhow. Many of the problems that we encounter all over the place today are just instances of the same problems that smarter people than myself predicted we’d have in the early 1980’s.

So, I see the industry as dangerously out of step with its constituents. Remember: this is about protecting real people against real bad things. It’s not a theoretical game. I get really pissed off when I see glib little sociopathic weasels putting innocent people at risk so they can market their products (to those same people!) – it disgusts me. And it disgusts me when I see the media, government agencies, and big-name vendors playing the game.

Those are the short-term frustrations. There are longer-term ones, as well. One of my dad’s friends was a cardiologist and he used to periodically go on a rant that went like this: "90% of my patients come in and are overweight, out of shape, and drink too much, smoke, or snort cocaine. They tell me all this and I tell them they’re ripe for a heart attack. Then I tell them that they need to lose some weight, exercise, and take it a bit easier on their bodies – and they look at me like I’m crazy and ask ‘what’s Plan B’?"

Well, that’s how I feel about security a lot of the time. The problems we deal with are so stupid and so obvious – sometimes it makes me want to ask executives, "What are you, retarded?" Even a Harvard MBA should be able to figure out that if you have copies of your data all over the place where anyone in the enterprise can get at them, it’s going to wind up on laptops and on the Internet.

So – I am frustrated and I am middle-aged (and then a little bit) – at a certain point I feel the long-term downside of speaking my mind will get less and less significant, so why not just let it all hang out?

2. You’re at Tenable Security as CSO now, what are you doing there and why? You and Ron Gula make a great couple, but are you involved in any other security or technology ventures?

Well, originally, it was Ron and Renaud. Tenable was already cooking along on course before I got involved. I knew Ron from the NFR days because I used to compete with him when he was selling the (now Enterasys) Dragon IDS against us. My role at Tenable is to be a mix between class clown, consultant, and technical trainer – I teach our customers’ classes on how to use our products and feed back ideas and questions through Ron. It works pretty well. Best of all, the rest of the management team at Tenable are all highly technical geeks.

There’s no arguing about how to do the right thing with Venture Capitalists because we’re self-bootstrapped and suit-free. On the other hand, we’ll argue all day about which Linux distro is better – if you can pick and choose your battles, I’ll take technical debates about how many angels can fit on a USB thumb-drive over talking to MBAs any day.

I serve as an advisor to several security start-ups and have to be very careful to keep from getting at competitive cross-purposes. But I love the advisory role – you can look at where a product is going and say, "hey, it’d be nice if it did X, Y, Z" – and a few months later, it does. It’s like being an important customer without having to talk to sales guys! I make a point of actually pounding on products and getting as deep as I can, too.

For example, I am on an advisory board for a company called Fortify that makes a source-code security analyzer tool, and I grabbed the product and spent a week running some of my own code (and other popular open source products) through it. That kind of thing can be really fun!

3. You’ve recently started publishing your "Rear Guard" PodCast. It’s quite entertaining and what some might describe as classic "Ranum." What attracted you to PodCasting and do you see starting a Blog?

I got interested in podcasting because I have a real problem with writing – I’ll write an article and go over it again and again and again until I’m happy with it. Writing is like pulling teeth for me. Sometimes, such as the time I was stuck in Frankfurt airport with nothing to do for 36 hours and the only electrical outlet was in the beer-bar – then I get a lot of writing done in a burst. But it doesn’t come easy for me whereas speaking does. So I was listening to a few of my old audio recordings from conferences and thought, "Hey, I can get stuff out there really fast this way!" Besides it’s a great way to play with tech toys like audio recorders and phone line-taps, etc!

Normally I am an instant nay-sayer about "the new thing" for its own sake but I think that podcasting is fascinating – essentially it’s completely liberated asynchronous radio. If that’s not fantastic, I don’t know what is! The barrier to entry is basically nonexistent – it’s so low there’s no need to worry about sponsorship or marketing crap to pay for it. It’s an environment where content truly is king: if your stuff is good, people will listen.

With respect to a blog – probably not. There are already great blogs out there and I don’t like the short note format. I prefer to write constructed arguments or tutorials; I just can’t whip out a couple paragraphs and let them go like some people can. Blogging tends to encourage a high volume of content. With my schedule and wildly varying energy/attention levels I can’t do more than an intermittent effort.

4. Are there any companies with emerging products or technology in the security space that you feel really "get it" and are doing the "right things" to move security ahead in the right direction?

I’d like to dodge that question, if I may. Otherwise I’ll sound like a marketing guy.

But the sad truth is that a lot of what I see out there is reinventing the wheel to varying degrees. The industry has reinvented antivirus and firewalls about ten times so far – of course it gets called something new and whizzbang each time. That’s inevitable (and uninteresting) because security is a moving target – someone is always getting new bright ideas like "let’s tunnel remote procedure calls over SSL by encoding them in XML" and the poor guys trying to secure it only have a limited set of techniques they can apply (content filtering, signatures, protocol analysis) and – of course – they’ll work as well as they always do.

There is cool stuff being done but I’d categorize it mostly as "solid new implementations of good old ideas." There’s nothing wrong with that, either.

5. As one of the "founding fathers" of network security — from your firewall days to NFR and beyond — what advice do you have for the up and coming security "professionals" who are going to have to deal with "securing" networks and assets in an already dynamic and hostile environment while serving the "Frappacino-YouTube-FaceBook-SecondLife-Tor-Twitter-I_Want_It_Now-AlwaysOn" generation who hack life?

Succinctly? "Get used to losing every battle you fight."

I actually get a fair number of Emails every month from people who are thinking about getting into information security. My old suggestion used to be to identify an interesting but not overly ambitious problem in the security space, make a decent attempt at making it less of a problem, and publish everything you can about what you did, why, and what you learned.

Thanks to the "bug of the minute" mindset we’re stuck in now, security has become an intellectual wasteland and the people who will be the next generation of stars will always be the ones who are solving problems (not creating them) and helping the poor outgunned IT specialist.

My new suggestion, when someone asks me about a career in security, is to reconsider the whole idea. In 10 years (probably less) security is going to re-collapse back into system administration and network administration. Your security practitioner of the future is going to be the guy who clicks the "make it secure" button on the rack of Cisco gear – and he’ll have no idea what that button does. On the systems side, he’ll be the Windows system administrator who forklift-pushes Microsoft Security for Windows to all the desktops, enables it, and reboots them. That’ll be that.

Note: I am not saying it’ll actually be secure, or work, but that’s about the tolerance for security effort that will be left in most IT executives’ minds. And, of course, security will be reporting to lawyers. After all these years of short-sighted security experts saying, "What we need is legislation…" now we’ve got it.

And, as a consequence, security is going to be permanently in the "expense" column and it’ll be a legal mitigation/triage game played by executives and lawyers, with the security guy’s job consisting mostly of hovering over the system admin’s shoulder to make sure that they actually clicked the "on" button where it says "security."

So – I think security’s about to suffer a mental and financial heat-death. Frankly, we deserve it. If you look at what security has accomplished in the minds of most IT execs, during the last 10 years, it has been an endless stream of annoying bug-fixes. All the positive stuff is completely overwhelmed by the flood of mal-this and mal-that and the constant yammering for attention from the vulnerability pimps.

6. Bonus question. Assuming I qualify the form factor to something that can be carried on your person, what’s your favorite weapon
?

That would have to be my custom-forged Bugei daisho that I commissioned in the early 1990’s. But if it was a situation involving more horizontal separation, I’d have to go with my Barrett model 95 with the 8-32x US Optics scope.

" And, of course, security will be reporting to lawyers. After all these years of short-sighted security experts saying, "What we need is legislation…" now we've got it. "
Does this mean there are actually security guys that think that regulation is pointless and worthless? I think it is, but it seems like all I find are security guys wishing we had regulation to force businesses to be secure rather than letting a business choose the level of risk they want to pay to mitigate. Would love to hear more on this.

Jon:
That's a great question. I myself fell into that trap (wishing for legislation/regulation) only to later realize that this was short sighted; I recognized that I better be careful for what I wished for because I might actually get it…
The problem with letting most businesses choose the level of risk they'd like to measure to is that most of them would take the low road (cynic's view) — you know what, I'm going to stop this mid-thought and think about this some more…
/Hoff